CVE-2023-45143

CVE-2023-45143 affects Undici, an HTTP/1.1 client for Node.js. Prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but did not clear Cookie headers, which are forbidden in browser environments. This mismatch between Undici’s header handling and the browser/spec...

CVE-2023-24807

The CVE-2023-24807 issue is in Undici’s header normalization (headerValueNormalize) used by the Headers.fetch API, allowing a Regular Expression Denial of Service when untrusted header values are processed. Affected range is before Undici v5.19.1; the vulnerability is fixed in v5.19.1. Upgrading ...

CVE-2023-23936

CVE-2023-23936 affects the Node.js Fetch API: CRLF injection in host headers. Concretely, affected versions include Node.js packages prior to patch levels (e.g.,

CVE-2022-31150

CVE-2022-31150 (undici): An HTTP/1.1 client for Node.js is vulnerable to CRLF injection in request headers in undici versions

CVE-2022-35949

CVE-2022-35949 (undici SSRF) : Undici’s HTTP/1.1 client is vulnerable to SSRF when user input is passed into the pathname option of undici.request, allowing an attacker to cause requests to be sent to internal hosts (e.g., 127.0.0.1) by manipulating the path. The issue arises from combining the b...

CVE-2022-35948

CVE-2022-35948 affects the undici HTTP/1.1 client for Node.js. When user input is unsanitized in the Content-Type header, CRLF Injection can cause multiple requests in a single call (e.g., two GETs). The issue is fixed in undici v5.8.1; workaround: sanitize input before sending as a Content-Type ...

CVE-2022-31151

CVE-2022-31151 affects the Node.js undici HTTP client. The issue is that during cross-origin redirects, authorization headers are cleared but cookie headers are not, potentially leaking cookies to a third party if an attacker controls the redirect target. The problem was patched in undici v5.7.1,...

CVE-2024-30260

Undici (Node.js HTTP/1.1 client) had a header handling flaw: Authorization and Proxy-Authorization were cleared for fetch() but not for undici.request(), exposing potential credential leakage. The issue is addressed in patched releases 5.28.4 and 6.11.1. Affected users should upgrade to these ver...

CVE-2024-30261

CVE-2024-30261 affects Undici (the HTTP/1.1 client used by Node.js). The issue lets an attacker modify the integrity option passed to fetch(), causing fetch() to accept tampered requests. It has been patched in Undici versions 5.28.4 and 6.11.1. Affected Node.js ecosystems (via Undici) may need u...

CVE-2024-24758

Undici (Node.js HTTP/1.1 client) has a vulnerability where Proxy-Authorization headers were not cleared during cross-origin redirects. It is fixed in versions 5.28.3 and 6.6.1. Affected versions include older releases prior to these patches; upgrading to 5.28.3 or 6.6.1 or newer is advised. The i...

CVE-2022-32210

CVE-2022-32210 concerns Undici’s ProxyAgent, which, per the connected document, does not verify the remote server’s TLS certificate and propagates all request/response data to the proxy. This can enable a proxy to perform a Man‑in‑the‑Middle on HTTPS traffic, and if the proxy URL is HTTP, nominal...

CVE-2026-1525

CVE-2026-1525 is an Undici HTTP client issue where passing duplicate Content-Length headers (especially with mixed case variants like Content-Length and content-length) can produce malformed HTTP/1.1 requests and enable HTTP Request Smuggling in misconfigured environments. Public advisories indic...

CVE-2026-12151

The CVE affects the undici WebSocket client (and WebSocketStream API) where maxPayloadSize is enforced per-frame but there is no limit on the number of fragments in a message. A malicious server can send many small or empty continuation frames, each passing validation, causing unbounded memory gr...

CVE-2024-24750

CVE-2024-24750 affects Undici, the HTTP/1.1 client used with Node.js. The vulnerability causes a memory leak when calling fetch(url) and not consuming the incoming body (or consuming it very slowly). The issue has been fixed in Undici version 6.6.1 . Remediation: upgrade to 6.6.1 or ensure the in...

CVE-2026-1526

undici WebSocket PerMessageDeflate.decompress() can accumulate decompressed data without a size limit, enabling a decompression bomb that may exhaust Node.js memory and crash or render the process unresponsive. The description specifies a denial-of-service via memory exhaustion. No remediation or...

CVE-2026-2229

The CVE affects the undici WebSocket client. It arises from improper validation of the server_max_window_bits parameter in the permessage-deflate extension: isValidClientWindowBits() only checks ASCII digits and not the 8–15 range, and createInflateRaw() is not wrapped in a try-catch. A malicious...

CVE-2026-11525

The issue affects undici’s cookie parsing in Set-Cookie headers. The root cause is a permissive substring match for the SameSite attribute during parsing, accepting any value containing Strict, Lax, or None instead of enforcing a case-insensitive exact match per RFC 6265. This can cause downstrea...

CVE-2026-1528

CVE-2026-1528 : A flaw in undici’s WebSocket handling allows a server to reply with a 64‑bit length frame that specifies an extremely large length. The ByteParser overflows internal math, enters an invalid state, and throws a fatal TypeError that terminates the process. Affected: undici (Node.js ...

CVE-2026-22036

Undici (HTTP/1.1 client for Node.js) contains a vulnerability in its decompression chain handling. Before versions 7.18.0 and 6.23.0, the chain can have an unbounded number of links, and the default maxHeaderSize allows a malicious server to insert thousands of compression steps, causing high CPU...

CVE-2026-9697

undici’s ProxyAgent drops the requestTls option when used with a SOCKS5 proxy (socks5:// or socks://), causing the HTTPS connection to rely on Node’s default trust store and ignore user-provided ca, cert, key, rejectUnauthorized, and servername. This allows any cert signed by a publicly trusted C...

CVE-2026-2581

Undici (deduplication interceptor) is affected by CVE-2026-2581: when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers, especially with large or chunked responses and concurrent identical requests, causing high m...

CVE-2026-9675

The CVE-2026-9675 issue affects the undici WebSocket client (new WebSocket(...)) where per-frame maxPayloadSize is enforced but the cumulative size of fragmented, uncompressed messages is not. A attacker-controlled WebSocket endpoint can stream many small fragments that pass per-frame validation ...

CVE-2026-1527

Undici (Node.js HTTP client) is vulnerable to a CRLF injection via the upgrade option in client.request() when user-controlled input is passed to the upgrade value. The root cause is that the upgrade value is written directly to the socket without validating header characters, allowing an attacke...

CVE-2026-9679

undici vulnerability CVE-2026-9679 affects the cookie parsing paths (parseSetCookie, parseCookie, getSetCookies). The cookie parser percent-decodes values (via qsUnescape), turning sequences like %0D%0A, %00, %3B, and %3D into literal bytes. RFC 6265 §5.4 does not require decoding and browsers do...

CVE-2026-9678

Undici (node) vulnerability CVE-2026-9678: in shared-cache mode, the cache interceptor may misclassify responses as cacheable when Cache-Control uses whitespace-padded private/no-cache directives (e.g., private=" authorization" or no-cache="\tauthorization"). The whitespace is preserved by the pa...